mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Add FAQ 61 about matchsize 116 != 308; fix reference in the packet marking article
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4623 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6b8b90a984
commit
deadffcee3
22
docs/FAQ.xml
22
docs/FAQ.xml
@ -1631,6 +1631,28 @@ iptables: Invalid argument
|
|||||||
<filename>/etc/shorewall/modules </filename>and modify the copy to
|
<filename>/etc/shorewall/modules </filename>and modify the copy to
|
||||||
include only the modules that you need.</para>
|
include only the modules that you need.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section id="faq61">
|
||||||
|
<title>(FAQ 61) I just installed the latest Debian kernel and now
|
||||||
|
"shorewall start" fails with the message "ipt_policy: matchsize 116 !=
|
||||||
|
308". What's wrong?</title>
|
||||||
|
|
||||||
|
<para>Answer: Your iptables is incompatible with your kernel. Either
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>rebuild iptables using the kernel headers that match your new
|
||||||
|
kernel; or</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>if you don't need policy match support (you are not using the
|
||||||
|
IPSEC implementation built into the 2.6 kernel) then you can rename
|
||||||
|
<filename>/lib/iptables/libipt_policy.so</filename>.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
|
@ -339,7 +339,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Remember that even though 'ping' packets were marked in one of
|
<para>Remember that even though 'ping' packets were marked in one of
|
||||||
the first two rules, they are still passed on to rule 3 (note that
|
the first two rules, they are still passed on to rule 5 (note that
|
||||||
packets marked by rules 3 and 4 are not processed by this rule since
|
packets marked by rules 3 and 4 are not processed by this rule since
|
||||||
it is in a different program). That rule moves the connection mark to
|
it is in a different program). That rule moves the connection mark to
|
||||||
the packet mark, <emphasis>if the packet mark is still zero</emphasis>
|
the packet mark, <emphasis>if the packet mark is still zero</emphasis>
|
||||||
|
Loading…
Reference in New Issue
Block a user